Security News > 2021 > December > Firmware attack can drop persistent malware in hidden SSD area
The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.
One attack modeled by researchers at Korea University in Seoul targets an invalid data area with non-erased information that sits between the usable SSD space and the over-provisioning area, and whose size depends on the two.
The research paper explains that a hacker can change the size of the OP area by using the firmware manager, thus generating exploitable invalid data space.
In a second attack model, the OP area is used as a secret place that users cannot monitor or wipe, where a threat actor could hide malware.
After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%. At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area.
As a defense against the first type of attack, the researchers propose SSD makers wipe the OP area with a pseudo-erase algorithm that would not affect real-time performance.
News URL
Related news
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Iranian Hackers Use "Dream Job" Lures to Deploy SnailResin Malware in Aerospace Attacks (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)